book

Malicious Mobile Code

by Roger A. Grimes

August 2001

Intermediate to advanced

540 pages

18h 24m

English

O'Reilly Media, Inc.

Read now

Unlock full access

About This Book
Chapter Summary
The Hunt

Major Types of Malicious Mobile CodeIn the WildMalicious Mobile Code NamingVGrepHow Bad Is the Problem of Malicious Code?Home StatisticsThe Growing ProblemAnti-malicious Mobile Code Organizations
Inside the Malicious Hacker’s MindTypical Virus WriterProtesting with Malicious CodeMalicious Mobile Code for the Social Good?Hacker Clubs, Newsletters, and ContestsMalicious Code Tutorial BooksHow Does Malicious Code Spread?
Introduction
PC Boot Sequence.EXE and .COM Files.COM files.EXE filesSoftware to HardwareInterrupts
Writing a Virus
Boot VirusesHow boot viruses infect hard disksSpecial boot virus delivery methodsMemory ResidencyFile-Infecting VirusesOverwriting virusesCavity virusesAppending virusesOther executable typesCompanion virusesCluster viruses
EncryptionPolymorphismEntry Point ChangersRandom ExecutionStealthArmorA Good Defense Is a Bad OffenseTrouble on the Horizon
Windows TechnologiesWindows APIsWin32 API32-bit accessWindows BootingWindows Technologies Introduced with Windows 3.xText mode to GUI mode bootingVirtual machinesProgram information filesVirtual memory and swap filesNE executableCore Windows filesDynamic linking librariesProcesses and servicesInitialization filesSYSTEM.INIWIN.INIWININIT.INIStartup folderRegistration databaseFile type associationsHidden file extensionsFile types that can hurtResource sharingWindows 3.x Startup SequenceNew Technologies in Windows 9xOld carryoversDynamic VxDsWINSTART.BAT and DOSSTART.BATPortable executablesPassword filesIntegration of browser and web-based contentSafe modeHard drive file storage schemesMemory ringsWindows 9x Startup SequenceWindows NTSAM and NT securityAdministrators and domainsSystem accountsNTFSNT file streamsMultibootLogging and auditingNT 4.0 Boot Process
Windows MESystem restoreSystem file protectionWindows 2000Potentially abused componentsFuture Windows Versions
DOS Viruses on Windows PlatformsOverall Effects on All Windows PlatformsBoot virus infectionsFile infectionsWindows 3.x/DOS Virus InteractionDOS boot viruses and Windows 3.xDOS file infectors under Windows 3.xWindows 9x/DOS Virus InteractionsWindows 9x antivirus featuresBoot viruses and Windows 9xDOS file infectors under Windows 9xWindows NT/DOS Virus InteractionBoot viruses under NTDOS file infectors under NTDOS Virus in Windows Summary
First Windows VirusesEffects of Windows VirusesWindows virus implications
Common Signs and SymptomsPrograms Won’t StartWindows Cannot Use 32-bit Disk SupportNT STOP ErrorsInstallation ErrorsSwap File Problems
WinNT.Remote ExplorerWinNT.InfisWin95.CIHWin32.KrizWin95.BabyloniaWin95.FonoWin95.PrizzyWin32.CryptoWin32.BolzanoWin2K.Stream
Unplug the PC from the NetworkUse an Antivirus ScannerUse AV Boot in Windows 2000Troubleshoot Any Boot ProblemsRun ScandiskBoot to Safe ModeLook for Newly Modified ExecutablesLook for Strange Programs That Automatically StartLook for Strange Device DriversLook for 32-bit Performance to be DisabledUnexpected System File Protection Messages
Use an Antivirus ScannerRemoving Boot VirusesBoot with a clean diskRemoving the Boot Virus Manually
Research the VirusStop Any Virus ServicesBoot to the Command-line ModeDelete and Replace Infected FilesClean Up Startup AreasReplace Registry to Remove Malicious Startup ProgramsUsing System Recovery ToolsRestore from a Tape Backup
Install Antivirus SoftwareDisable Booting from Drive ADon’t Run Untrusted CodeInstall Service Packs and UpdatesReveal File ExtensionsLimit Administrative LogonsTighten Security
Microsoft Office Version Numbers
Why Virus Writers Like Macro VirusesHow Macro Viruses SpreadWhat a Macro Virus Can Do
Word MacrosAutomacrosVisual Basic for ApplicationsExcel Macros
Macro EditorOrganizerVisual Basic Editor
Security LevelsSigned MacrosTrusting Add-ins and TemplatesOffice 2000 Security Peculiarities
Word InfectionsExcel InfectionsGeneral Macro Virus TechniquesClass module virusesOffice disables macro copying commandsMRU exploitsEmail virusesAdd-in virusesStealth macro virusesEncrypted and polymorphic macro virusesDropping off a friendMore external manipulation with VBAStartup directory filesRandom evolutionConstruction kitsCross-platform infectorsShiver cross-platform virusLanguage problems
W97M.Melissa.acW97M.MarkerCaligula Word VirusTriplicate VirusGaLaDRieLW2KM_PSD
Macro WarningsWays viruses can get around macro warningsFalse-positivesYour Word Document Will Only Save as a TemplateUnexpected Document Modifications,Words, Messages, GraphicsNew Macros AppearTools→Macro Is DisabledGlobal Template File Date Is CurrentStartup Directory Contains New FilesView the Document with a Text Editor
Try a Virus ScannerGet a Clean ApplicationBypass AutomacrosInspect Data and Delete Malicious MacrosRepairing Word DocumentsManually Repairing Other DamageRestore from a Backup
Disable Macros in DocumentsUpgrade All Versions of Office to the Latest VersionAutomate Document ScanningSet Office Security to HighLocking the VBA Normal ProjectSave Normal Template PromptConfirming Downloads for Office DocumentsRename DEBUG.EXEWord Startup SwitchesNetwork Security
The Future of Macro VirusesGetting rid of Microsoft Office isn’t the answer
The Threat
Remote Administration TrojansBackdoor ProgramsNetwork RedirectDistributed AttacksDenial of ServiceDirect ActionAudio and Video CapturingPhone Dialing TrojansPassword StealersKeyloggersParasites
StealthHiding as Source CodeCompressorsBindersSweep ListsScript Trojans
Startup ProgramsIP PortsTCP and UDPNetStat Command
Back OrificePICTURE.EXE TrojanWin32.Ska-Happy99Win32.ExplorerZipWin32.PrettyParkJS.KAK.WormBat.Chode.WormWin32.QazLife Stages Worm
Cut Off Internet AccessUse Scanners and DetectorsCheck Your Startup FilesCheck MemoryLook for Trojan PortsDelete Trojan FilesExtra Steps for Email Worms
Don’t Run Unknown Executable ContentScanners and Detector ProgramsDisable NetBIOS over TCP/IPDownload the Latest IE and OS PatchesPassword-Protect Drive SharesConsider Limiting Email AttachmentsRename or Remove Key ExecutablesChange File Associations of Potentially Harmful ProgramsUse FirewallsRun Programs as a Nonadmin
Introduction to Instant MessagingTypes of Instant Messaging NetworksMobile Messaging
ICQInternet Relay ChatWeb ChatsProprietary IM Standards
IRC NetworksIRC ClientsIRC CommandsOther IRC FeaturesDCCCTCP
Hacking AIM and ICQPunters and bustersMalicious file transfersName hijackingIP address stealingWeb buffer overflowHacking IRCScript filesBotsLagFloodingNetSplitNick collision killChannel desyncsChannel warsNetwork redirection
Example Malicious ScriptsCTCP floodMass deop attackIRC Worms and TrojansSimpsalapimMr. WormyUsing IRC to Send VirusesSepticScript worms less of a threat now
Introduction
What Is a Browser?Browser versionsURLsHiding malicious URLs
HTMLViewing HTML source codeHTML versionsXMLDHTMLScripting LanguagesJavaScriptVBScriptJScriptRemote scripting callsHypertext preprocessor scriptHTML Applications
Cascading Style SheetsPrivacy IssuesCookiesHistoryFramesFile and Password CachingAutoCompleteMicrosoft Wallet and PassportHTTPS and SSLActive DesktopSkins
Browser-Based Exploits
Viruses and TrojansHTML.InternalPHP viruses and TrojanseBaylaHotmail password exploitEmbedded malicious code in shared postingsHTML applicationsBrowser Component ExploitsBrowser print templatesFile upload formsRedirection ExploitsWeb spoofingJavaScript redirectXML redirectCSS/DHTML redirectFrame problemsDotless IP address exploitApplication Interaction ExploitsRussian New YearMedia Player vulnerabilitiesPowerPoint buffer overflowOffice 2000 ODBC vulnerabilityTelnet attacksActive Desktop exploitsMore Office HTML exploitsPrivacy InvasionsCookie exploitsCookie hijackingWeb bugsApplication monitorsImportExportFavorites exploitCached data bugs
Use an Antivirus Scanner or FirewallCheck Unexpected or Unexplained ErrorsView Source CodeLook for the FileSystemObject in ScriptsLook for Unexpected Newly Modified Files
Remove Malicious FilesEdit or Delete Modified FilesRun Repair Tool
Configure Browser Settings and ZonesInternet Explorer security settingsInternet Explorer security zonesInternet security registry settingsNew cookie management updateInternet Explorer Administration KitInstall the Latest Version of Browser and Security PatchesInstall and Use an Antivirus ScannerAvoid Untrusted Web SitesRemove HTA Association
JavaJava Virtual MachineJava Byte CodeJava Applet Versus Java ApplicationJava’s Just-In-Time Compiler
Java Security -- Classic ModelByte Code VerifierApplet Class LoaderName spacesThe Security ManagerCLASSPATHSome say the sandbox is too secureJava security expandsJava 2™ Security -- A Granular ApproachArchive FormatsJava archivesNot all Java browsers are created equally
Paid to HackHistory of Java exploitsTypes of ExploitsAttacks within the sandboxSocial engineering appletsJava viruses and TrojansApplets that break the sandbox
Annoying AppletsJava.NoisyBearHostile Thread Java appletDigiCrime’s IrritantJava VirusesStrange Brew Java virusBeanHive Java virusHoax Java bombsCompromising IntrusionsDNS subversion trickBug in the Java Byte Code VerifierMicrosoft Virtual Machine Verifier vulnerabilityPlug-ins
Total Security: Disable JavaRun Only Trusted JavaUse an Antivirus ScannerFirewallsConfigure Stronger Browser Java SecurityInternet Explorer Java securityJava-specific settings in Internet ExplorerJava Scratch PadCustomizing Java permissions in Internet ExplorerApply the Latest Security PatchesUse the Latest Browser VersionKnow Your Java CLASSPATHDisable Plug-insRemove Unneeded AppletsAvoid Malicious SitesBe Aware of Social-Engineered Malicious Code
ActiveXActiveX ControlsActiveX ScriptingSafe for scripting and initializingDifferences Between ActiveX and JavaActivating ActiveXCabinet archival files
Digital Signing and CertificatesDigital authentication summaryEncryptionA simple encryption examplePublic key securityHashingCertificates and certificate authoritiesDigital certificate incompatibilitiesCertificate granting processTrusting the trust giverRevocationAlways trusting a certificateAuthenticodeJava, Authenticode, and Internet ExplorerTimestampingSigned Code in ActionInternet Explorer and Authenticoded Java
ActiveX Has No SandboxSafe for Scripting VulnerabilityBuffer OverflowsUsers Can’t Be TrustedAuthenticity Doesn’t Prevent TamperingAuthenticode Is Only as Strong as Its Private KeysWeak RevocationNo GranularityActiveX Controls Are Registered to the MachineNo Easy Way to See All ControlsSecurity in Browser
ExploderRunnerInfoSpace CompromiseQuicken ExploitMicrosoft’s Not Safe for Scripting ControlsNorton Utilities exploitHelp desk controlsDHTML edit vulnerabilityTaskpadsScriptlet.typlib and Eyedog exploitsOffice 2000 UA controlActive Setup controlWindows 2000 Sysmon Buffer Overflow
Run Only Trusted CodeKill Bit SettingExamine CertificatesConfigure ActiveX Browser SecurityRemove Unnecessary ControlsReappearing controlsError messages while removing controlsViewing and removing all controlsView Trust RelationshipsChange Safe for Scripting FunctionalityEnable Certificate Revocation Checking
Introduction
Types of EmailMIMEEncrypted emailNewsgroupsPreview paneHiding behind emailWhy Is Outlook Such a Popular Target?Microsoft Outlook TechnologyOutlook interfacesWindows Scripting HostEncoded scriptsFuture of WSH
Email WormsBubbleboyILoveYou virusHiding virusesHybrisEmail ExploitsUsers don’t even have to open email to execute exploitInternet cache vulnerabilityCompiled help vulnerabilityvCard buffer overflow
Information for Microsoft ExchangeServer AdministratorsExMerge
Disable Scripting and HTML Content in EmailTreat Unexpected Emails with CautionKeep Email Client UpdatedRun Antivirus SoftwareImplement Outlook Security PatchGetting around blocked access to file attachmentsPreventing malicious code from using Outlook to spreadStrengthening overall Outlook securityOptions for Outlook 97 and Outlook Express usersProblems with Outlook Security UpdateUninstalling the Outlook Security UpdateRemove WSH AssociationReveal Hidden File ExtensionsIf You Use Web-based Email, Use Vendors Who Use Antivirus ScannersModify Security on Outlook ClientsSet Up Message Monitoring
The Mother of All Computer VirusesBamboozledWhy Do People Write Hoax Messages?Partial TruthsHoaxes Can Come True
Virus WarningGood Times virusChain LettersSympathy requestsFake news reportsGiveawaysThreats
Read Message Looking for Telltale SignsSearch for Information on HoaxWeb sites about hoaxesCommercial vendor web sites
Let Others Know It Is a HoaxUse ExMerge to Delete All Hoax Messages at OnceSet Up an Email Filter
Future Hoaxes Will Be Better
Defense Strategy
How to Create a Malicious Mobile Code Defense PlanGet management to buy inPick a plan teamPick an operational teamTake a technology inventoryDetermine plan coverageDiscuss and write the planTest the planImplement the planProvide quality assurance testingProtect new assetsTest Rapid Response TeamPredefine a process for updating and reviewing planThe PlanRemember to address foreign computers and networksPlan coreDeploymentDistributing updatesCommunication planEnd user educationRapid response planRapid Response Plan Steps
Checksums Versus Scan StringsTraits of a Good Antivirus ScannerFast and accurateStabilityTransparencyRuns on your platformsCustomizableScanner should protect itselfGood cleaning rateScanning archived filesHeuristicsRescue disketteAutomated updatesGood technical supportProactive researchEnterprise capabilitiesLoggingNotificationEmail capabilities
DesktopEmail ServerFile ServerInternet BorderWhere Should Antivirus Software Run?Other Antivirus Scanner ConsiderationsWhen to scanInternet-based scanningShould you disable the antivirus scanner to install new software?
FirewallsIntrusion DetectionHoney PotsPort Monitors and ScannersSecurity ScannersInternet Content ScannersMiscellaneous UtilitiesSmartWhoIsLocking programs downFilemon and RegmonGoat filesGood Backup
Symantec’s Norton Antivirus
The Future of ComputingMedia ConvergenceDistributed ComputingOther Key Technology ChangesP2P computingMicrosoft’s domination weakensSmall computersAppliance computingGovernment monitoring
Malicious Code Popularity Will IncreaseHacktivism Will RiseIncrease in Linux VirusesConnectedness Can Be a WeaknessDenial of Service AttacksAttack of the Killer Copier
Audit All CodeUltimate AuthenticationMore Secure ApplicationsPrevent Unauthorized Code ChangesISP ScanningAllow Only Approved Content to ExecuteNational Security InfrastructureStiffer Penalties

Content preview from Malicious Mobile Code

What Is Malicious Mobile Code?

Malicious mobile code (MMC) is any software program designed to move from computer to computer and network to network, in order to intentionally modify computer systems without the consent of the owner or operator. MMC includes viruses, Trojan horses, worms, script attacks, and rogue Internet code. The intentional part of the definition is important. Design flaws in the Microsoft Windows operating system are responsible for more data loss than all the malicious code put together, but Windows wasn’t intentionally designed to destroy your data and crash your system. And it certainly doesn’t sneak on your hard drive without permission to get there. MMC used to mean DOS computer viruses, Trojans, and worms. Today, you have to add all harmful programs created with scripting languages and empowered by Internet technologies: macro viruses, HTML, Java applets, ActiveX, VBScript, JavaScript, and instant messaging. There are even viruses that infect Windows help files. Today, simply scanning executable files and boot sectors isn’t enough.

There is a technological war going on. There are good guys and bad guys. Every second of every day, tens of thousands of pieces of MMC are trying to break into some place they shouldn’t be, delete data, and mess up the day of many fine people who are just trying to work. Mischievous hackers write malicious code and release it in to the unsuspecting world. People lose data and productive time as bugs are discovered and removed. ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition

Publisher Resources

ISBN: 156592682XErrata Page

Malicious Mobile Code

by Roger A. Grimes

What Is Malicious Mobile Code?

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition

How I Built a Personal Board of Directors With GenAI

How to Become a Game-Changing Leader

What Successful Project Managers Do

Publisher Resources

What Is Malicious Mobile Code?

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition

How I Built a Personal Board of Directors With GenAI

How to Become a Game-Changing Leader

What Successful Project Managers Do

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.